Bugtraq mailing list archives
Re: Securax Advisory 13
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Tue, 2 Jan 2001 20:55:10 +0100
On Mon, 1 Jan 2001, incubus wrote:
when someone telnets to a unix system, the tty that will be assigned to him will be writable for any user on the system. However, when he is logged in, his tty will not be writable for all users. So if someone would write data to a tty that is currently used by someone who's logging in, that person won't be able to log in.
Completely wrong: a) first of all, modern Linux boxes have dynamic pts allocation scheme (devpts or Unix '98 ptys). In this case, pts lives as long as you are using it, and is NOT a static object which is world-writable before use, b) then, whenever this mechanism is not available, which is the case you are talking about, it works this way: in order to open /dev/ttypa0 (for example), you have to open /dev/ptya0 (master + slave device scheme); as long as you are using pseudo-terminal (read: as long you own the fd), it wouldn't be allocated by anyone else (because /dev/ptya0 cannot be re-opened - it is exclusive access). So, as long as you are keeping a descriptor to the pseudo-terminal device, it wouldn't be reused. Period. You cannot keep the fd using background process, logout, log in again and have the same tty. Please read the documentation. [lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ttyb1 cat: /dev/ttyb1: Błąd wejścia/wyjścia (cannot access slave without opening master) [lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ptyb1 & [1] 6296 [lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ptyb1 cat: /dev/ptyb1: I/O error (can open master only once) [lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ttyb1 & [2] 6298 [lcamtuf@squirrel:6 lcamtuf]$ kill -9 6296 [1]- Killed cat /dev/ptyb1 [2]+ Done cat /dev/ttyb1 (you cannot keep the fd after closing the master)
bzero(tty, sizeof(tty)); strcat(tty, "/dev/tty4"); /* change to tty you want */
Real terminals (ttys) are having completely different mechanism and are NOT used for remote (eg. telnet) system access. And even in this case, you have so-called terminal hangup mechanism, which will protect you against such attacks, btw.
write(fd, string, sizeof(string));
...consider TIOCSTI, btw... -- _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- Securax Advisory 13 incubus (Jan 02)
- Re: Securax Advisory 13 Fyodor (Jan 02)
- Re: Securax Advisory 13 Michal Zalewski (Jan 02)
- Re: Securax Advisory 13 Arturo Busleiman (Jan 03)
- <Possible follow-ups>
- Re: Securax Advisory 13 teleh0r (Jan 03)
- Re: Securax Advisory 13 Jarno Huuskonen (Jan 03)